The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule grants individuals the right to request restrictions regarding the use and disclosure of their protected health information (PHI) for treatment, payment, and healthcare operations. The law also grants individuals the right to request restrictions for other disclosures, such as those made to family members and persons involved in the individual’s care. However, covered entities are not required to agree with the requested restrictions.
Patient rights under HIPAA
HIPAA was established to protect the privacy and security of patients' health information. While HIPAA places numerous obligations on healthcare providers, health plans, and business associates, it also grants patients rights regarding their PHI, including:
- The right to access health records: Patients can inspect and obtain copies of their medical records and other health information maintained by covered entities. This allows individuals to stay informed about their health and participate more actively in healthcare decisions.
- The right to request amendments: Patients may request changes to their health information if they believe it is inaccurate or incomplete. Healthcare providers must review these requests and provide a written explanation if a request is denied.
- The right to receive a Notice of Privacy Practices (NPP): Patients are entitled to receive information explaining how a healthcare organization may use and disclose PHI and outlining their rights under HIPAA.
- The right to request restrictions: Patients can ask healthcare providers to limit certain uses or disclosures of their PHI. In some circumstances, such as when a patient pays for a service entirely out of pocket, providers may be required to honor the request.
- The right to request confidential communications: Patients may request that healthcare providers communicate with them through specific channels or at specific locations, such as a designated email address or phone number.
- The right to receive an accounting of disclosures: Patients can obtain information about certain disclosures of their PHI made outside of routine treatment, payment, and healthcare operations.
- The right to file a complaint: Patients who believe their privacy rights have been violated may file a complaint with the healthcare organization involved or with the Office for Civil Rights (OCR), which enforces HIPAA.
Go deeper: What are patient rights under HIPAA?
The right to restriction
One of the lesser-known patient rights under HIPAA is the right to request restrictions on how protected health information (PHI) is used and disclosed. This right allows patients to ask healthcare providers, health plans, and other covered entities to limit certain uses or disclosures of their health information, giving patients greater control over their privacy.
According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule requires covered entities to allow individuals to "request that a covered entity restrict the use or disclosure of their PHI for treatment, payment, [and] health care operations." However, HHS notes that "in most cases, covered entities are not required to agree with the requested restrictions."
For example, a patient may request that information about a particular condition not be shared with certain family members involved in their care. Another patient may ask that details of a specific treatment not be disclosed to their health plan. While healthcare organizations must consider these requests, they can deny them if complying would interfere with patient care, payment processes, or healthcare operations.
There is, however, one important exception. HHS states that a covered entity "is required to agree" to a patient's request to restrict disclosure of PHI to a health plan when the information relates solely to a service that has been paid for in full out of pocket and the disclosure is not otherwise required by law.
This provision can be particularly valuable for patients receiving sensitive healthcare services who do not want those services reflected in insurance records. For instance, if a patient pays out of pocket for a reproductive health visit, they may request that information about that visit not be disclosed to their insurer. In such circumstances, the provider must honor the request.
When can covered entities refuse a patient’s right to restriction?
When the covered entity agrees to the restriction, it must adhere to the restriction for all future disclosures. However, the Privacy Rule recognizes that in certain situations, an individual's health and well-being may depend on the unrestricted flow of information. For instance, if a patient has a medical emergency, it may be necessary to share PHI with another healthcare provider to ensure they receive the right treatment promptly. In such cases, the disclosing provider must request that the information be used solely for providing emergency treatment.
Furthermore, there are circumstances in which a covered entity may not be required to comply with a patient's request for a restriction. Legal obligations may take precedence over a patient's privacy preferences when federal or state laws require the disclosure of certain health information. For example, if a healthcare provider is legally required to disclose PHI for public health reporting, law enforcement purposes, or other mandated activities, the provider must comply with those legal requirements regardless of the patient's request. Similarly, when disclosure of PHI to a health plan for payment or healthcare operations is required by law and is not subject to the healthcare provider's discretion, the covered entity must make the disclosure even if the patient has requested that the information be withheld. In such cases, HIPAA does not permit patient-requested restrictions to override applicable legal requirements.
However, there are other scenarios when a covered entity is required to comply with a patient's request for restriction:
- The disclosure of PHI to a health plan is for payment or healthcare operations and is not mandated by law.
- The PHI in question relates solely to a healthcare item or service for which the individual (or someone other than the health plan on behalf of the individual) has paid the covered entity in full.
See also: What are patient rights under HIPAA?
The HITECH-HIPAA Omnibus Rule
The HITECH-HIPPA Omnibus Rule states that “a covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if the disclosure is for the purposes of carrying out payment or health care operations and not otherwise required by law; and the protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.”
The Omnibus Rule also requires that a statement be included in the Notice of Privacy Practices summarizing the individual’s right to a restriction and the covered entity’s requirement to accept the restriction to disclose PHI about the individual to a health plan.
However, the Omnibus Rule’s new restriction requirements do not change the general obligation of the covered entity to disclose only the information requested by the health plan and the amount of requested information judged to be the “minimum amount necessary” to fulfill the request—unless the patient has agreed to a broader disclosure, like when they are in agreement with the health plan or in an authorization on file with the covered entity.
See also: HIPAA Compliant Email: The Definitive Guide
FAQS
Why were HIPAA patient rights created?
HIPAA patient rights were established to protect the privacy and security of health information while giving individuals greater control over how their medical data is used and shared by healthcare providers and health plans.
How quickly must providers respond to record requests?
HIPAA generally requires covered entities to respond to access requests within 30 days, with a possible 30-day extension if needed, provided the patient is notified in writing.
Tshedimoso Makhene : August 28, 2024
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
